16 candles for first Internet worm

The first significant Internet worm appeared on this day 16 years ago, and online security has never been the same, security professionals say.

At around midnight on Nov. 2, 1988, the Morris worm, written by a 23-year-old student named Robert Tappan Morris, was released on the embryonic Internet.

Within hours, the worm's 99 lines of code overloaded thousands of Unix-based VAX and Sun Microsystems systems, forcing administrators to disconnect their computers from the network to try to stop the worm from spreading.

The Morris worm was part of a research project and was not designed to cause damage, but it was programmed to self-replicate. Unfortunately, the code contained a bug that allowed the worm to infect a single machine multiple times, which resulted in thousands of computers grinding to a halt.

Morris' worm was the first to spread on the Internet. But the very first appearance of a worm was in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, who described a self-distributing program with a bug that managed to crash 100 machines in the research building.

Morris was convicted for his research, but did not serve time. He received a suspended sentence with community service and was fined $10,000.

At the time, the Internet was still a closed system used by universities and the military for research purposes. Once it was opened to the public--and became known as the World Wide Web--attitudes toward security had to change.

Sean Richmond, a senior technology consultant at Sophos Australia, said that since Morris, there have been fundamental changes in the way networks and computers communicate with each other, and that will continue to evolve over the next 16 years.

"At that time, commands such as 'remote login,' 'remote shell' and 'remote copy' were commonly used. The idea was that if you were logged into one machine, you could access another system, and it wouldn't even ask you for a login password. There was a level of trust," Richmond said.

Matt Dircks, vice president and product manager at network management specialists NetIQ, said that the biggest difference is the impact a network worm has on the general population.

When Morris hit in 1988, academics would have lost some of their research. But when worms like Blaster or Sasser start spreading on the modern Internet, it affects banks, government departments and even stops kids from researching their schoolwork from home, said Dircks.

"The stakes have gone up because the impact of the worm has changed in scope and in depth. The impact on people's daily lives is much more pronounced," Dircks said.

Sophos' Richmond said that malicious software is unlikely to go away over the next 16 years, but it should have less impact, as software companies develop their applications with security in mind rather than as an afterthought.

Richmond also said that the next-generation Internet will run on IPv6, or Internet Protocol version 6, which is a communications protocol that lays the foundation for a far more secure and safe online commercial environment.

"Security is being designed in the next TCP/IP version (IPv6), so the IP address will contain a knowledge and expectation of security. The current version IPv4 was built with a much more open world in mind. Security was not part of the initial design," he said. "In 16 years' time, the potential for something to spread widely and rapidly across everything will be diminished just by the underlying security."

However, NetIQ's Dircks said that IPv6 is a very long-term project, and because it will require so much hardware to be replaced, it will be a very slow upgrade cycle.

"Part of the solution is to build security into the architecture. But there are systems that are 30 or 40 years old still running, and the companies using them will not get rid of them, because they still work," Dircks said. "We are always going to have a heterogeneous world, and without painting a picture of doom, gloom and apocalypse, the problems are not going away."